After installing Sun Cluster 3.0 software and performing basic cluster configuration, the next task is to set up the applications or data services for the application to run on the cluster. This procedure involves a number of steps, many of which need to be performed from the command line. Others such as creating a resource group, can be performed through the SunPlex GUI. Because these steps require executing complicated commands or traversing through several GUI screens, it is advantageous to write scripts that can simplify and automate the data service and configuration process. Scripts are also a valuable tool to capture work completed in a test environment to ensure consistent deployment on the production network. In addition, scripts are useful to enable less-experienced system administrators to perform complex configuration tasks, or to rebuild systems for multiple testing purposes. To highlight how to architect such scripts, this article illustrates best practices in deploying the HA-NFS data service, for which the agent is contained on the Sun Cluster 3.0 Data Services CD-ROM.

Like this article? We recommend

Sun™ Cluster 3.0 12/01 software is used by organizations to provide
additional assurance that mission-critical services will be available despite
unexpected hardware or software failures or usage requirements. The business
criticality of Sun Cluster deployments requires that the nodes in a cluster be
protected against unauthorized access and misuse by malicious individuals.

To provide a robust environment in which Sun Cluster 3.0 12/01 software can
be deployed, very specific requirements have been placed on the configuration of
the Solaris™ Operating Environment (Solaris OE) used on Sun Cluster 3.0 nodes.
Before the release of Sun Cluster 3.0 12/01 software, no secured configurations
were supported. This article takes a first step towards providing secured
configurations that use Sun Cluster 3.0 12/01 software by describing how three
specific agents can be deployed in a secured configuration that is supported by
Sun Microsystems.

These security recommendations are specific to the three Sun Cluster 3.0
agents supported in secured environments: the iPlanet™ Web Server software, the
Apache web server, and the iPlanet™ Messaging Server software.

This article contrasts the recommendations made in the Sun BluePrints™ OnLine
article "Solaris™ Operating Environment Security: Updated for Solaris 8
Operating Environment" with the functionality required by the Sun Cluster
software. This article also describes methods for simplifying the deployment of
secured configurations across the potentially many nodes in a cluster and on
automated mechanism to deploy them. Solaris™ Security Toolkit software, a free
toolkit that automates the hardening of Solaris OE system, is used to harden the
Solaris OE images running on the nodes, as well as to install the other security
software recommended in this article.

The Solaris Security Toolkit software makes over 80 modifications to the OS
of each cluster node. These modifications not only disable unneeded services but
also enable optional Solaris OE security enhancements. Executing the Solaris
Security Toolkit hardening scripts for Sun Cluster software on a running cluster
significantly reduces the number of Solaris OE services and daemons, as well as
the number of access points into the cluster.

By reducing access points, disabling unused services, enabling optional
security features, and generally improving the overall security of the cluster
nodes, you make it much more difficult for an intruder to gain access to the
cluster and misuse its resources.

Software Versions

The Solaris OE security hardening recommendations and the security
recommendations for the Sun Cluster 3.0 software secured configuration
documented in this article are based on the Solaris 8 10/01 OE (Update 6).

The Sun Cluster software qualified to run in the secured environment is Sun
Cluster 3.0 12/01 software using either the iPlanet Web Server, the Apache web
server, or the iPlanet Messaging Server software. The Apache web server and the
iPlanet Web Server software are supported in either scalable or failover modes,
while the iPlanet Messaging Server software is only supported in failover
mode.